Using digital IDs to sign or encrypt Windows Mail messages

Applies to Windows Vista

Using a digital ID, you can digitally sign your e‑mail to prove your identity. You can also use a digital ID to encrypt messages, keeping them private. Here are answers to some common questions about using digital IDs with Windows Mail.

Digital IDs, sometimes referred to as certificates, allow recipients to verify that an e‑mail was actually sent by you. It's very easy to forge e‑mail return addresses, and using a digital ID helps a recipient know that a message actually came from you. Also, when traveling across the Internet, standard e‑mail messages are the digital equivalent of postcards—they can be read, or even altered, along the way. Digital IDs can be used to encrypt messages, hiding their contents, and they indicate whether a message has been altered in transit to the recipient.

In many businesses, your system administrator will provide you with a digital ID. To obtain a digital ID for personal use, you'll need to obtain one from a certification authority, which is an organization that offers digital IDs.

To set up your digital ID

Open Windows Mail by clicking the Start button , clicking All Programs, and then clicking Windows Mail.

Typical unencrypted e‑mail messages are sent across the Internet in a plain text format, and as they travel to their recipients, they can potentially be read by prying individuals or automated programs. Encrypted messages are messages signed with a digital ID that are sent in a scrambled format that can only be read by your recipient. However, both the sender and recipient must have copies of each other's digital ID to be able to send and read encrypted messages.

Encryption format information for advanced users

Windows Mail is compatible with the Secure/Multipurpose Internet Mail Extensions (S/MIME) version 2 and 3 specifications, and supports the following encryption algorithms: RC2 (40-bit and 128-bit), DES (56-bit), and 3DES (168-bit). Windows Mail can decrypt RC2 (64-bit) encrypted e‑mail, but cannot send messages using this algorithm.
Windows Mail can use only SEA-1 as the hashing algorithm when signing messages. The bit length of your private key varies, depending on the certification authority from which you obtain it and the process used in generating the key.

The private keys are stored on your computer and are only as secure as your computer. Private keys installed using Microsoft cryptographic system components will not be transmitted to the certification authority that issues the digital ID; the keys are not stored in escrow with any government agency.

While composing a message, click the Tools menu, and then click Encrypt.

Note

Before sending an encrypted message, you must have a digital ID in Windows Contacts for each intended recipient. If you need a digital ID for your recipient, have your recipient send you a digitally signed message. Whenever you receive a digitally signed e‑mail message, Windows Mail automatically adds the sender's digital ID to your Windows Contacts.

You can read a digitally signed message the same way you would read any other message. To provide further assistance, Windows Mail displays a help screen the first time you open or preview a digitally signed message.

After you send a digitally signed message to a contact, you can read an encrypted message from that person the same way you would read any other message.
To provide further assistance, Windows Mail displays a help screen the first time you open or preview an encrypted message.

If you receive a secure message that has a problem (for example, the message was tampered with or the digital ID of the sender is expired), you will see a security warning that details the problem before you are allowed to view the contents of the message. Based on the information in the warning, you can decide whether to view the message.

If you read a digitally signed message while connected to the Internet, Windows Mail will verify the validity of the message by requesting information on the digital ID from the appropriate certification authority. The certification authority sends back information on the status of the digital ID, including whether the ID has been revoked. Certification authorities keep track of certificates that have been revoked due to loss or termination.
To view the validity status of a digital ID while reading a message, click the File menu, click Properties, and then click the Security tab.

Digital IDs used by Windows Mail are stored in Windows Contacts. Whenever you receive a digitally signed e‑mail message, Windows Mail automatically adds the sender's digital ID to your Windows Contacts. In some circumstances, you may want to manually add a digital ID to a contact. For example, if the contact listed in the e‑mail message doesn't exactly match the name of the existing contact in Windows Contacts, the digital ID will be stored in a new contact instead of being associated with the existing contact.

To manually add a digital ID to a contact from a digitally signed e‑mail message

Open Windows Mail by clicking the Start button , clicking All Programs, and then clicking Windows Mail.

Open a digitally signed message.

Click the File menu, and then click Properties.

Click the Security tab, and then click Add digital ID to Contacts.

To manually add a digital ID to a contact from another source

Open Windows Contacts by clicking the Start button , clicking All Programs, and then clicking Windows Contacts.

Create a new contact or double-click an existing contact.

Click the Digital IDs tab, and then click Import.

Click the digital ID file that contains the digital ID you want to add to the contact, and then click Open.

Was this page helpful?

Your feedback helps improve this site.

Any other feedback?

Thank you

We appreciate your feedback.

1200400Any other feedback?How can we improve it?SubmitSkip thisHow can we improve it?SubmitNo thanks